System for augmenting access to resources

ABSTRACT

The different illustrative embodiments provide a method, data processing system, and computer program product for managing access to resources. A number of access permissions of a first user to a number of resources in a computer system are provided to a second user in response to a presentation of first credentials for the first user to the computer system. A level of presence of the first user relative to the computer system and/or the second user is monitored. The number of access permissions of the first user to the number of resources in the computer system continues to be provided to the second user as long as a preselected level of presence of the first user is present.

BACKGROUND

1. Field

The disclosure relates generally to data processing systems and, inparticular, to a method and apparatus for processing data. Still moreparticularly, the present disclosure relates to a method and apparatusfor managing access to resources.

2. Description of the Related Art

Network data processing systems provide resources that are accessed bydifferent users. These resources may take a number of different formsincluding, for example, hardware, software, and a combination ofhardware and software. For example, users may access documents,databases, spreadsheets, images, video, programs, printers, serverprocesses, routers, and/or other resources in a network data processingsystem.

Some users often have different access levels as compared to otherusers. The access to resources is often controlled through variouspermissions assigned to the different users. These permissions may beimplemented using mechanisms, such as access control lists. An accesscontrol list is a list of permissions attached to a resource. An accesscontrol list specifies which users or system processes are allowed toaccess a resource. Additionally, an access control list specifies whatoperations are allowed to be performed on a resource.

Different users are provided different types of access to resourcesbased on a number of different factors. For example, a newer employeemay be granted limited access to a resource, while a more experiencedemployee may be granted additional access to a particular resource. Forexample, if the employee is a software engineer in training, thesoftware engineer may not receive as many permissions to resources ascompared to a more experienced software engineer. This less-experiencedsoftware engineer is a trainee and receives training on software systemsbefore receiving any additional permissions.

With this type of training, the trainee may review certain parts of acode base under the supervision of a trainer. The trainee is eventuallyasked to update the code base but currently only has read-only access.The trainer may be an experienced software engineer with knowledge aboutcode bases. The trainee has not been given access to change the codebase, because the software engineer has not yet received the trainingfor this type of updating. The trainer may train the trainee physicallyat a computer with the trainee or through an e-meeting.

During the training, the trainee is provided an opportunity to updatethe code base under the supervision of the trainer. Currently, thetrainer logs in using the trainer's credentials to obtain access towrite to the code base. Then the trainee performs the updates under thesupervision of the trainer. In this manner, the trainee is able to learnabout coding conventions and make the needed changes to update the codebase.

SUMMARY

The different illustrative embodiments provide a method, data processingsystem, and computer program product for managing access to resources. Anumber of access permissions of a first user to a number of resources ina computer system are provided to a second user in response to apresentation of first credentials for the first user to the computersystem. A level of presence of the first user relative to the computersystem is monitored. The number of access permissions of the first userto the number of resources in the computer system continues to beprovided to the second user as long as a preselected level of presenceof the first user is present.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

FIG. 1 is an illustrative diagram of a data processing environment inwhich illustrative embodiments may be implemented;

FIG. 2 is an illustration of a data processing system in accordance withan illustrative embodiment;

FIG. 3 is an illustration of a block diagram of a resource managementenvironment in accordance with an illustrative embodiment;

FIG. 4 is an illustration of a monitoring system in accordance with anillustrative embodiment;

FIG. 5 is an illustration of a diagram of a policy in accordance with anillustrative embodiment;

FIG. 6 is an illustration of a resource management environment inaccordance with an illustrative embodiment;

FIG. 7 is an illustration of a resource management environment inaccordance with an illustrative embodiment;

FIG. 8 is an illustration of a flowchart of a process for managingresources in a network in accordance with an illustrative embodiment;

FIG. 9 is an illustration of a flowchart of a process for ceasing toprovide a user permission to access resources in accordance with anillustrative embodiment; and

FIG. 10 is an illustration of a flowchart of a process for managingaccess to resources in accordance with an illustrative embodiment.

DETAILED DESCRIPTION

As will be appreciated by one skilled in the art, the present inventionmay be embodied as a system, method or computer program product.Accordingly, the present invention may take the form of an entirelyhardware embodiment, an entirely software embodiment (includingfirmware, resident software, micro-code, etc.) or an embodimentcombining software and hardware aspects that may all generally bereferred to herein as a “circuit,” “module” or “system.” Furthermore,the present invention may take the form of a computer program productembodied in any tangible medium of expression having computer usableprogram code embodied in the medium.

Any combination of one or more computer usable or computer readablemedium(s) may be utilized. The computer-usable or computer-readablemedium may be, for example but not limited to, an electronic, magnetic,optical, electromagnetic, infrared, or semiconductor system, apparatus,device, or propagation medium. More specific examples (a non-exhaustivelist) of the computer-readable medium would include the following: anelectrical connection having one or more wires, a portable computerdiskette, a hard disk, a random access memory (RAM), a read-only memory(ROM), an erasable programmable read-only memory (EPROM or Flashmemory), an optical fiber, a portable compact disc read-only memory(CDROM), an optical storage device, a transmission media such as thosesupporting the Internet or an intranet, or a magnetic storage device.

Note that the computer-usable or computer-readable medium could even bepaper or another suitable medium upon which the program is printed, asthe program can be electronically captured, via, for instance, opticalscanning of the paper or other medium, then compiled, interpreted, orotherwise processed in a suitable manner, if necessary, and then storedin a computer memory. In the context of this document, a computer-usableor computer-readable medium may be any medium that can contain, store,communicate, propagate, or transport the program for use by or inconnection with the data processing system, apparatus, or device. Thecomputer-usable medium may include a propagated data signal with thecomputer-usable program code embodied therewith, either in baseband oras part of a carrier wave. The computer usable program code may betransmitted using any appropriate medium, including but not limited towireless, wireline, optical fiber cable, RF, etc.

Computer program code for carrying out operations of the presentinvention may be written in any combination of one or more programminglanguages, including an object oriented programming language such asJava, Smalltalk, C++ or the like and conventional procedural programminglanguages, such as the “C” programming language or similar programminglanguages. The program code may execute entirely on the user's computer,partly on the user's computer, as a stand-alone software package, partlyon the user's computer and partly on a remote computer or entirely onthe remote computer or server. In the latter scenario, the remotecomputer may be connected to the user's computer through any type ofnetwork, including a local area network (LAN) or a wide area network(WAN), or the connection may be made to an external computer (forexample, through the Internet using an Internet Service Provider).

The present invention is described below with reference to flowchartillustrations and/or block diagrams of methods, apparatus (systems) andcomputer program products according to embodiments of the invention. Itwill be understood that each block of the flowchart illustrations and/orblock diagrams, and combinations of blocks in the flowchartillustrations and/or block diagrams, can be implemented by computerprogram instructions.

These computer program instructions may be provided to a processor of ageneral purpose computer, special purpose computer, or otherprogrammable data processing apparatus to produce a machine, such thatthe instructions, which execute via the processor of the computer orother programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer program instructions may also bestored in a computer-readable medium that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablemedium produce an article of manufacture including instruction meanswhich implement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer orother programmable data processing apparatus to cause a series ofoperational steps to be performed on the computer or other programmableapparatus to produce a computer implemented process such that theinstructions which execute on the computer or other programmableapparatus provide processes for implementing the functions/actsspecified in the flowchart and/or block diagram block or blocks.

With reference now to the figures and in particular with reference toFIG. 1, an illustrative diagram of a data processing environment isprovided in which illustrative embodiments may be implemented. It shouldbe appreciated that FIG. 1 is only provided as an illustration of oneimplementation and is not intended to imply any limitation with regardto the environments in which different embodiments may be implemented.Many modifications to the depicted environments may be made.

FIG. 1 depicts a pictorial representation of a network of dataprocessing systems in which illustrative embodiments may be implemented.Network data processing system 100 is a network of computers in whichthe illustrative embodiments may be implemented. Network data processingsystem 100 contains network 102, which is the medium used to providecommunications links between various devices and computers connectedtogether within network data processing system 100. Network 102 mayinclude connections, such as wire, wireless communication links, orfiber optic cables.

In the depicted example, server computer 104 and server computer 106connect to network 102 along with storage unit 108. In addition, clientcomputers 110, 112, and 114 connect to network 102. Client computers110, 112, and 114 may be, for example, personal computers or networkcomputers. In the depicted example, server computer 104 providesinformation, such as boot files, operating system images, andapplications to client computers 110, 112, and 114. Client computers110, 112, and 114 are clients to server computer 104 in this example.Network data processing system 100 may include additional servercomputers, client computers, and other devices not shown.

Different users of the computers of network data processing system 100may have different permissions to access various resources withinnetwork data processing system 100. Processes and apparatus to controlpermissions for users may be implemented in network data processingsystem 100 in accordance with an illustrative embodiment.

Program code located in network data processing system 100 may be storedon a computer recordable storage medium and downloaded to a dataprocessing system or other device for use. For example, program code maybe stored on a computer recordable storage medium on server computer 104and downloaded to client computer 110 over network 102 for use on clientcomputer 110.

In the depicted example, network data processing system 100 is theInternet with network 102 representing a worldwide collection ofnetworks and gateways that use the Transmission ControlProtocol/Internet Protocol (TCP/IP) suite of protocols to communicatewith one another. At the heart of the Internet is a backbone ofhigh-speed data communication lines between major nodes or hostcomputers, consisting of thousands of commercial, governmental,educational and other computer systems that route data and messages. Ofcourse, network data processing system 100 also may be implemented as anumber of different types of networks, such as for example, an intranet,a local area network (LAN), or a wide area network (WAN). FIG. 1 isintended as an example, and not as an architectural limitation for thedifferent illustrative embodiments.

Turning now to FIG. 2, an illustration of a data processing system isdepicted in accordance with an illustrative embodiment. Data processingsystem 200 is an example of a data processing system that may be used toimplement different computers in network data processing system 100 inFIG. 1. In this illustrative example, data processing system 200includes communications fabric 202, which provides communicationsbetween processor unit 204, memory 206, persistent storage 208,communications unit 210, input/output (I/O) unit 212, and display 214.

Processor unit 204 serves to execute instructions for software that maybe loaded into memory 206. Processor unit 204 may be a number ofprocessors, a multi-processor core, or some other type of processor,depending on the particular implementation. A number, as used hereinwith reference to an item, means one or more items. Further, processorunit 204 may be implemented using a number of heterogeneous processorsystems in which a main processor is present with secondary processorson a single chip. As another illustrative example, processor unit 204may be a symmetric multi-processor system containing multiple processorsof the same type.

Memory 206 and persistent storage 208 are examples of storage devices216. A storage device is any piece of hardware that is capable ofstoring information, such as, for example, without limitation, data,program code in functional form, and/or other suitable informationeither on a temporary basis and/or a permanent basis. Memory 206, inthese examples, may be, for example, a random access memory or any othersuitable volatile or non-volatile storage device. Persistent storage 208may take various forms, depending on the particular implementation.

For example, persistent storage 208 may contain one or more componentsor devices. For example, persistent storage 208 may be a hard drive, aflash memory, a rewritable optical disk, a rewritable magnetic tape, orsome combination of the above. The media used by persistent storage 208also may be removable. For example, a removable hard drive may be usedfor persistent storage 208.

Communications unit 210, in these examples, provides for communicationswith other data processing systems or devices. In these examples,communications unit 210 is a network interface card. Communications unit210 may provide communications through the use of either or bothphysical and wireless communications links.

Input/output unit 212 allows for input and output of data with otherdevices that may be connected to data processing system 200. Forexample, input/output unit 212 may provide a connection for user inputthrough a keyboard, a mouse, and/or some other suitable input device.Further, input/output unit 212 may send output to a printer. Display 214provides a mechanism to display information to a user.

Instructions for the operating system, applications, and/or programs maybe located in storage devices 216, which are in communication withprocessor unit 204 through communications fabric 202. In theseillustrative examples, the instructions are in a functional form onpersistent storage 208. These instructions may be loaded into memory 206for running by processor unit 204. The processes of the differentembodiments may be performed by processor unit 204 using computerimplemented instructions, which may be located in a memory, such asmemory 206.

These instructions are referred to as program code, computer usableprogram code, or computer readable program code that may be read and runby a processor in processor unit 204. The program code in the differentembodiments may be embodied on different physical or computer readablestorage media, such as memory 206 or persistent storage 208.

Program code 218 is located in a functional form on computer readablemedia 220 that is selectively removable and may be loaded onto ortransferred to data processing system 200 for running by processor unit204. Program code 218 and computer readable media 220 form computerprogram product 222 in these examples. In one example, computer readablemedia 220 may be computer readable storage media 224 or computerreadable signal media 226. Computer readable storage media 224 mayinclude, for example, an optical or magnetic disk that is inserted orplaced into a drive or other device that is part of persistent storage208 for transfer onto a storage device, such as a hard drive, that ispart of persistent storage 208. Computer readable storage media 224 alsomay take the form of a persistent storage, such as a hard drive, a thumbdrive, or a flash memory, that is connected to data processing system200. In some instances, computer readable storage media 224 may not beremovable from data processing system 200. In these illustrativeexamples, computer readable storage media 224 is a non-transitorycomputer readable storage medium.

Alternatively, program code 218 may be transferred to data processingsystem 200 using computer readable signal media 226, Computer readablesignal media 226 may be, for example, a propagated data signalcontaining program code 218. For example, computer readable signal media226 may be an electromagnetic signal, an optical signal, and/or anyother suitable type of signal. These signals may be transmitted overcommunications links, such as wireless communications links, opticalfiber cable, coaxial cable, a wire, and/or any other suitable type ofcommunications link. In other words, the communications link and/or theconnection may be physical or wireless in the illustrative examples.

In some illustrative embodiments, program code 218 may be downloadedover a network to persistent storage 208 from another device or dataprocessing system through computer readable signal media 226 for usewithin data processing system 200. For instance, program code stored ina computer readable storage medium in a server data processing systemmay be downloaded over a network from the server to data processingsystem 200. The data processing system providing program code 218 may bea server computer, a client computer, or some other device capable ofstoring and transmitting program code 218.

The different components illustrated for data processing system 200 arenot meant to provide architectural limitations to the manner in whichdifferent embodiments may be implemented. The different illustrativeembodiments may be implemented in a data processing system includingcomponents in addition to or in place of those illustrated for dataprocessing system 200. Other components shown in FIG. 2 can be variedfrom the illustrative examples shown.

The different embodiments may be implemented using any hardware deviceor system capable of running program code. As one example, the dataprocessing system may include organic components integrated withinorganic components and/or may be comprised entirely of organiccomponents excluding a human being. For example, a storage device may becomprised of an organic semiconductor. As another example, a storagedevice in data processing system 200 is any hardware apparatus that maystore data. Memory 206, persistent storage 208, and computer readablemedia 220 are examples of storage devices in a tangible form.

In another example, a bus system may be used to implement communicationsfabric 202 and may be comprised of one or more buses, such as a systembus or an input/output bus. Of course, the bus system may be implementedusing any suitable type of architecture that provides for a transfer ofdata between different components or devices attached to the bus system.Additionally, a communications unit may include one or more devices usedto transmit and receive data, such as a modem or a network adapter.Further, a memory may be, for example, memory 206, or a cache such asfound in an interface and memory controller hub that may be present incommunications fabric 202.

The illustrative embodiments recognize and take into account a number ofdifferent considerations. For example, the illustrative embodimentsrecognize and take into account that having a trainer log in with thetrainer's credentials to obtain access to a resource for use by atrainee for training may leave a security gap in the management ofresources. An example of one situation in which a security gap may occuris if the trainer forgets to log out and leaves the trainee at thecomputer. With this situation, a potential exists for the trainee tomake changes to a resource that may cause undesired effects on theresource if the trainee accesses the resource without the experience ortraining needed. For example, if the trainee performs additional updatesfor the code base without supervision, the trainee may make mistakes dueto the lack of experience and needed training. The result may be thatthe code base no longer functions or performs desired operations whenrun on a computer.

The different illustrative embodiments also recognize that in some casesthe trainer may be present, but the trainer's attention may be takenaway from the training process. For example, the trainer may receive anemail, a telephone call, or some other event may occur that may decreasethe level of engagement of the trainer in the training session. Thedifferent illustrative embodiments recognize that the trainer has toremember to revoke the access provided to the trainee while taking careof another situation.

The different illustrative embodiments recognize and take into accountthat these and other situations make it undesirable to have trainerssharing their access credentials, such as user ids and passwords, withtrainees. The illustrative embodiments recognize and take into accountthat it is desirable to have each user, including the trainee, log inwith their own user identification and password.

Thus, the different illustrative embodiments provide a method andapparatus for managing access to resources. In response to apresentation of first credentials for a first user to a computer system,a second user is provided a number of access permissions of the firstuser to resources in the computer system. A level of presence of thefirst user relative to the computer system is monitored. The second usercontinues to be provided access to the number of permissions of thefirst user to the resources in the computer system as long as apreselected level of presence of the first user is present. The presenceof the first user may be at least one of physical proximity, logicalproximity, and a level of communication relative to the computer system.

With reference now to FIG. 3, a block diagram of a resource managementenvironment is depicted in accordance with an illustrative embodiment.Network data processing system 100 in FIG. 1 is an example of hardwarethat may be used in resource management environment 300.

In this illustrative example, resource management environment 300includes computer system 302. Computer system 302 is comprised of numberof computers 304. A number, as used herein with reference to items,means one or more items. For example, a number of computers is one ormore computers. Computer system 302 may be, for example, network dataprocessing system 100, data processing system 200, or some othercombination of hardware in which processor units and computers arepresent.

As depicted, users 306 perform operations at computer system 302. Inthese examples, users 306 include first user 308 and second user 310. Inthis example, first user 308 is trainer 312, and second user 310 istrainee 314.

First user 308 presents first credentials 316 to computer system 302.First credentials 316 verify the identity of first user 308. In theseexamples, credentials are information used to control access toresources 318 in computer system 302. These credentials may take anumber of different forms. For example, first credentials 316 may be atleast one of a password and user identifier, a certificate, a biometricinput, and some other suitable form of credential.

As used herein, the phrase “at least one of”, when used with a list ofitems, means that different combinations of one or more of the listeditems may be used and only one of each item in the list may be needed.For example, “at least one of item A, item B, and item C” may include,for example, without limitation, item A or item A and item B. Thisexample also may include item A, item B, and item C, or item B and itemC.

In response to the presentation of first credentials 316 for first user308 to computer system 302, second user 310 is provided with number ofaccess permissions 320 of first user 308 to number of resources 322 inresources 318. Number of access permissions 320 allows first user 308access to number of resources 322. In this illustrative example, thisaccess is controlled using access control process 324 which runs oncomputer system 302.

Second user 310 may have number of access permissions 320 to number ofresources 322. Number of access permissions 320 may be a particularnumber of access permissions provided for a user in training. Number ofaccess permissions 320 may be in the form of an access control list forsecond user 310. In one illustrative example, access control process 324may add number of access permissions 320 of first user 308 to number ofaccess permissions in the access control list for second user 310. Thisaccess control list allows second user 310 to access number of resources322.

In another example, access control process 324 may generate a secondaccess control list containing number of access permissions 320 forsecond user 310. This second access control list may take the place ofthe access control list containing number of access permissions 320 toprovide second user 310 with access to number of resources 322. Forexample, the second access control list may be used when second user 310is in training with first user 308.

Number of resources 322 may take a number of different forms. Forexample, number of resources 322 may be at least one of an application,code, an executable file, a dynamic link library, a word processingfile, an image, a spreadsheet, a server process, a router, a switch, acomputer within computer system 302, an access point, a proxy server,and other suitable resources.

In these illustrative examples, access control process 324 selectsnumber of access permissions 320 from permissions 323 for first user308. Number of access permissions 320 is selected using policy 325 inthese illustrative examples. Policy 325 is a number of rules used byaccess control process 324 in controlling access to resources 318.

Access control process 324 monitors level of presence 326 of first user308 relative to computer system 302. In these examples, the monitoringis performed using monitoring system 327. Access control process 324continues to provide second user 310 number of access permissions 320 aslong as preselected level of presence 328 for first user 308 is present.

If level of presence 326 of first user 308 is not at or greater thanpreselected level of presence 328, access control process 324 ceases toprovide second user 310 number of access permissions 320. Additionally,access control process 324 also may cease to provide second user 310number of access permissions 320 for first user 308 in response to event330 using policy 325, even though preselected level of presence 328 forfirst user 308 is present.

Policy 325 is used by access control process 324 to determine when event330 should cause access control process 324 to cease to provide numberof access permissions 320 for first user 308 to second user 310. Thisceasing to provide number of access permissions 320 may also be referredto as a revocation of number of access permissions 320. In someillustrative examples, policy 325 may indicate a period of time duringwhich number of access permissions 320 are provided to second user 310.In other illustrative examples, policy 325 may also indicate whichaccess permissions in permissions 323 to select as number of accesspermissions 320 for first user 308 to provide to second user 310.

In these illustrative examples, event 330 may take a number of differentforms. For example, event 330 may be selected from an attempt to accessa selected file, an input to delete a particular file, a movement of anapplication from a foreground to a background state, second user 310 nolonger sharing a screen in an electronic meeting, or some other suitableevent.

Level of presence 326 may take a number of different forms. For example,level of presence 326 may be selected from at least one of a physicalproximity, a collaboration proximity, a level of actions performed byfirst user 308, a type of action, a presence of first user 308 withsecond user 310 in an electronic conference, a presence of first user308 and second user 310 at a computer in computer system 302,communication between first user 308 and second user 310, first user 308communicating with second user 310 over a telephone, and other suitabletypes of presence for first user 308 that can be measured. A physicalproximity of a user may be, for example, a presence of a user at acomputer, and/or the distance of a user with respect to a computer. Acollaboration proximity of a user may be, for example, a presence of auser in a web conference, over a telephone, in a chat session, and/orhaving some other communication or interaction between first user 308and second user 310. The presence of a user may be determined by afrequency of instant messages, a frequency of responses during a phoneconversation, a level of interaction in a web conference or chatsession, or some other suitable factor.

In some illustrative examples, number of access permissions 320 is onlya portion of plurality of access permissions 334 for first user 308. Insome illustrative examples, second user 310 may be provided withadditional permissions 336 from plurality of access permissions 334. Forexample, additional access permissions 336 from plurality of accesspermissions 334 may be provided to second user 310 in response to event338. Event 338 may be an event that occurs during a training session.For example, event 338 may be one of a completion of a portion of atraining section, a selected access on number of resources 322 made byfirst user 308, a selected access on number of resources 322 made bysecond user 310, a user input from first user 308, or some othersuitable type of event.

Additionally, second user 310 also may be provided number of accesspermissions 340 from third user 342. In this example, third user 342 istrainer 344. Number of access permissions 340 may be different or havesome overlap with number of access permissions 320. Second user 310 isprovided with number of access permissions 340 for third user 342 inresponse to presentation of second credentials 346 for third user 342 tocomputer system 302.

In a similar fashion, access control process 324 may monitor level ofpresence 348 for third user 342. Number of access permissions 340 maycontinue to be provided to second user 310 as long as preselected levelof presence 350 for third user 342 is present. Preselected level ofpresence 350 may be different from preselected level of presence 328,depending on the particular implementation. Additionally, second numberof resources 352 may be the same as number of resources 322. Of course,other numbers of users that function as trainers also may be present inaddition to first user 308 and third user 342. These other users alsomay provide additional numbers of permissions to second user 310.

The illustration of resource management environment 300 in FIG. 3 is notmeant to imply physical or architectural limitations to the manner inwhich different illustrative embodiments may be implemented. Othercomponents in addition and/or in place of the ones illustrated may beused. Some components may be unnecessary in some advantageousembodiments. Also, the blocks are presented to illustrate somefunctional components. One or more of these blocks may be combinedand/or divided into different blocks when implemented in differentadvantageous embodiments.

For example, in other illustrative embodiments, additional users, inaddition to second user 310, who are also trainees, may be present.These additional users also may be provided number of access permissions320 and/or number of access permissions 340 in the same manner as seconduser 310.

In yet other illustrative embodiments, level of presence 326 for firstuser 308 may be different types of levels of presence. For example,first user 308 may be physically present with respect to a computersystem and second user 310. When another trainee is present, first user308 may work with that trainee at the same time as second user 310through a teleconference. The amount of interaction of first user 308with the teleconference may be used to measure level of presence 326 offirst user 308.

In still other illustrative embodiments, the relationship between firstuser 308 and second user 310 may be some suitable relationship otherthan between a trainer and a trainee. For example, without limitation,first user 308 may be an administrator and second user 310 may be auser. In some examples, first user 308 may be a manger and second user310 may be an employee. In other examples, first user 308 may be amember of an organization and second user 310 may be a guest of theorganization. In still other examples, first user 308 may be a securityofficer with a high level of security clearance as compared to seconduser 310, who may be a security officer with a low level of securityclearance as compared to first user 308. In some illustrativeembodiments, first user 308 may be a team leader and second user 310 maybe a team member.

In other illustrative embodiments, first user 308 and second user 310may be provided number of access permissions 320 only when first user308 and second user 310 both have level of presence 326. In other words,first user 308 and second user 310 may only be provided access to numberof resources 322 when both first user 308 and second user 310 both havelevel of presence 326.

With reference now to FIG. 4, an illustration of a monitoring system isdepicted in accordance with an illustrative embodiment. In this example,monitoring system 400 is an example of one implementation for monitoringsystem 327 in FIG. 3. The different devices illustrated in FIG. 4 may beused to detect a level of presence of a user. In particular, thesedevices may be used to detect a level of presence of a user in the formof a physical proximity of a user and/or a level of actions performed bya user.

In this illustrative example, monitoring system 400 may include at leastone of user input devices 402 and biometric sensor system 404. Userinput devices 402 may include at least one of keyboard 406, pointingdevice 408, touch screen 410, audio input device 411, and other suitabledevices for receiving user input. Keyboard 406 may detect keystrokesentered by a user. Pointing device 408 detects movement of a pointermade by a user as well as movement of objects that may be selected usingpointing device 408. Touch screen 410 may receive user input from afinger or a stylus manipulated by a user. Audio input device 411 may be,for example, a microphone that detects sound. These different devicesmay be used to detect the level of presence of a user, such as level ofpresence 326 of first user 308 in resource management environment 300 inFIG. 3.

The amount of activity extracted from user input devices 402 may be usedto provide some level of presence. For example, a number of keystrokesmade using keyboard 406 may be used to determine an amount of activityof a user. This amount of activity may be used to identify the level ofpresence of the user.

The level of presence of a user also may be detected through biometricsensor system 404. Biometric sensor system 404 may include at least oneof fingerprint scanner 412, iris scanner 414, voice recognition system416, facial recognition system 418, and other suitable components.Fingerprint scanner 412 may be used to detect whether a particular useris located at a computer. Fingerprint scanner 412 may be used to detectthe level of presence of a user based on the user's access to acomputer. Iris scanner 414 may be used in a similar fashion to detectwhether a particular user is present at a computer.

Voice recognition system 416 and/or facial recognition system 418 may beable to detect the presence of a user at a computer. Further, these twosystems also may be used to detect the amount of interaction or use ofthe computer by the user as well as the physical proximity of the userwith respect to the computer.

With reference now to FIG. 5, a diagram of a policy is depicted inaccordance with an illustrative embodiment. Policy 500 is an example ofone implementation for policy 325 in FIG. 3.

As depicted, policy 500 includes selection rules 502 and removal rules504. Selection rules 502 are used to select the number of permissions ofthe trainer given to the trainee. Removal rules 504 are rules used toremove the number of permissions of the trainer given to the trainee.

In these illustrative examples, selection rules 502 include at least oneof trainee 506, type of trainee 508, and events 510. Trainee 506 is arule that identifies a number of permissions for a particular trainee.Each trainee may be assigned a number of permissions for each trainerthat may work with the trainee. This number of permissions may beassigned based on the relationship between the trainer and the trainee.For example, the number of permissions for the trainer may be assignedto the trainee based on the position of the trainer and the trainee in asocial network or organizational network.

Type of trainee 508 is a rule that identifies a number of permissionsassigned to a trainee based on the class or title of a trainee. Forexample, a software engineer in training may be assigned a differentnumber of permissions of a trainer as compared to an IT person intraining.

Events 510 are rules for selecting number of permissions for a traineebased on events that may occur. For example, events 510 may includesteps completed 512 and resources accessed 514. Steps completed 512 arerules that assign or provide the trainee additional permissions of thetrainer as different steps in a training session are completed. Forexample, with a successful completion of changes to a code base, asoftware engineer in training may be provided additional permissions torun the code base. Resources accessed 514 may include rules that providethe trainee additional permissions based on the resources being used. Asone illustrative example, a rule may indicate that a trainee may nothave access to edit particular files until other files have been edited.

Removal rules 504 are rules used to remove permissions from the trainee.For example, removal rules 504 includes level of presence 516 and events518. Level of presence 516 includes rules that identify when permissionshould be removed from a trainee based on a level of presence of atrainer. For example, level of presence 516 may include physical rules520, logical presence 525, and activity 522.

For example, physical rules 520 include presence 524 and distance 526.Presence 524 includes rules that indicate that a physical presence ofthe trainer at the computer of the trainee is sufficient to maintainproviding the number of permissions of the trainer to the trainee.Distance 526 includes rules that indicate a distance from the computerwith the trainee at which the trainer must be such that the number ofpermissions can still be provided. If the trainer moves outside of thedistance in the rules in distance 526, the number of permissions isremoved or is no longer provided to the trainee.

Logical presence 525 includes rules for the collaboration proximity ofthe trainer to the trainee. For example, logical presence 525 may be alevel of involvement or interaction with a web conference or telephoneconference. In this type of example, logical presence 525 may includeweb conference 528 or telephone conference 530. Web conference 528 maybe a rule that the trainer must be on a web conference with the traineefor the number of permissions to be provided to the trainee.

Telephone conference 530, in this example, is a rule stating that atelephone conference must be present between the trainer and the traineefor the number of permissions to continue to be provided to the trainee.If the telephone conference is terminated by the trainer, the trainee,or through some other unexpected event, the number of permissions is nolonger provided to the trainee. In some illustrative examples, thenumber of permissions may no longer be provided to the trainee inresponse to an absence of conversation during the telephone conferencefor a selected period of time.

Activity 522 includes trainer input 532 and trainer actions 534. Trainerinput 532 includes rules identifying the input that a trainer makes toprovide the level of presence needed to continue to provide the numberof permissions of the trainer to the trainee. For example, the trainerinput may be keystrokes to a keyboard, mouse movement and input, and/orother suitable input. Trainer actions 534 include rules identifyingactions of the trainer that indicate whether the trainer isconcentrating on the training session or has become distracted.

For example, trainer actions 534 may include detecting that the movementand/or location of the user indicate that the trainer is engaged in thetraining session. If the trainer picks up a phone and begins aconversation during the training session, these trainer actions mayindicate that the level of presence is no longer high enough to providethe number of permissions of the trainer to the trainee.

As another example, if the trainer does not remain facing the computerfor some period of time, the level of presence of the trainer may beconsidered to no longer have a level of presence that provides a numberof permissions of the trainer to the trainee.

Events 518 are rules that cause the access control process to no longerprovide the number of permissions to the trainee, even though level ofpresence 516 in removal rules 504 may be met. For example, events 518include resource access 536, selected action 538, trainer input 540, andperiod of time 542. Resource access 536 may remove the number ofpermissions if the trainee attempts to access a particular resource ornumber of resources that have been identified in the rule. For example,in a training session, a trainee may only be provided the number ofpermissions to one code base and not another code base. If the traineeattempts to access the second base, the number of permissions isremoved.

Selected action 538 includes rules identifying a number of actions on aresource that cause the number of permissions of the trainee to nolonger be provided to the trainee. For example, if the trainee attemptsto delete a particular file or library, the number of permissions is nolonger provided, and the deletion of the particular file or library doesnot occur. Trainer input 540 may be an input from the trainer to removethe number of permissions from the trainee even though the trainer hasmet the rules in level of presence 516 needed to provide the number ofpermissions to the trainee.

Period of time 542 includes rules that identify a period of time afterwhich permissions are no longer provided to a trainee. Period of time542 may be a period of time entered by the trainer or some other user asto how long the trainee will have the number of permissions of thetrainer. For example, the period of time may be selected as being 10minutes, 30 minutes, one hour, or some other suitable period of time.After this period of time has elapsed, the trainee is no longer providedwith the number of permissions of the trainer. This occurs even if thetrainer still meets the rules in level of presence 516 in these depictedexamples.

The illustration of policy 500 in FIG. 5 is only an example of onemanner in which policy 325 in FIG. 3 may be implemented. Other policiesmay include or have rules other than the rules illustrated in theseparticular examples. Of course, in some illustrative examples, some ofthe rules illustrated for policy 500 may be omitted or replaced withother rules.

With reference next to FIG. 6, an illustration of a resource managementenvironment is depicted in accordance with an illustrative embodiment.In this example, resource management environment 600 is an example ofone implementation for resource management environment 300 in FIG. 3. Asdepicted, resource management environment 600 includes user 602, user604, and computer 606. User 602 and user 604 are located at computer606. Computer 606 is an example of an implementation of computer system302 in FIG. 3.

User 602 is a trainer, while user 604 is a trainee. User 602 enterscredentials into computer 606 to begin a training session in thisexample. User 604 will have the number of access permissions of user 602as long as user 602 has a selected level of presence. In this example,the level of presence of user 602 may be determined by the presence ofuser 602 at computer 606 or physical proximity of user 602 to computer606.

Camera 608 may be part of facial recognition system 418 in FIG. 4 andidentifies the presence of user 602 at computer 606. In theseillustrative examples, a presence of user 602 at computer 606 results inthe number of permissions being provided to user 604.

Further, camera 608 may be used to determine the physical proximity ofuser 602 to computer 606. For example, when user 602 is located within aselected distance of computer 606, user 604 is provided with a number ofaccess permissions of user 602.

Camera 608 also includes microphone 610 in this depicted example.Microphone 610 also may be used in voice recognition system 416 in FIG.4 to detect the presence of user 602 at computer 606.

Additionally, the amount of activity or interaction of user 602 withuser 604 may be detected using at least one of camera 608 and microphone610. As one illustrative example, camera 608 may be used to track afocus of the eyes of user 602 and/or user 604. An absence or presence ofthe focus of the eyes of a user may determine the amount of activity orinteraction of user 602 with user 604.

In another illustrative example, microphone 610 may be used to detect aspeech pattern different from the speech pattern related to the tasksbeing performed by user 602 and user 604. In other examples, microphone610 may be used to detect the interaction between a user and a cellphone, a music player, or some other device.

If user 602 is distracted by another user, a phone call, or some otherevent, the level of presence of user 602 may be reduced such that thenumber of permissions of user 602 may no longer be provided to user 604.When user 602 again has the desired level of presence, user 604 may thenagain be provided the number of access permissions of user 602.

With reference now to FIG. 7, an illustration of a resource managementenvironment is depicted in accordance with an illustrative embodiment.In this example, resource management environment 700 is an example ofone implementation of resource management environment 300 in FIG. 3. Inthis illustrative example, computer 702, computer 704, and computer 706are connected to network 708. These components may be an example of animplementation of computer system 302 in FIG. 3. User 710 is a trainee,while user 712 is a trainer. In this example, user 712 performs trainingof user 710 using an electronic conference over network 708.

Various web conferencing tools may be used for the electronicconference. For example, the web conferencing system may be implementedusing Lotus Live Meetings, which is available from InternationalBusiness Machines Corporation or WebEx, which is available from WebExCommunications, Inc.

In this example, user 712 presents credentials to the computer system.As a result, user 710 has a number of permissions of user 712 inperforming the training session in these examples. In the webconference, user 710 may share a desktop with user 712. As long as user712 maintains a selected level of presence, user 710 has the number ofpermissions of user 712.

The level of presence of user 712 may be the presence of user 712 in theweb conference, the amount of activity performed by user 712 in the webconference, the physical proximity of user 712 to computer 706 duringthe web conference, and other types of presences. If user 712 logs offor does not have a desired level of activity, the number of permissionsof user 712 is no longer provided to user 710.

Additionally, some events may occur, which causes the number ofpermissions of user 712 to no longer be provided to user 710. Forexample, if user 710 attempts to perform an action to delete selectedfiles, the providing of the number of permissions of user 712 may beinterrupted or suspended. Also, the action attempting to be performed byuser 712 is not performed. Additionally, if user 712 moves anapplication from the front to a background such that the application canno longer be seen on the desktop, the permissions may no longer beprovided to user 710.

As another example, if user 710 no longer shares the desktop with user712, the number of permissions of user 712 also may no longer beprovided to user 710. Further, user 710 also may be provided permissionsfrom additional users, such as user 714 at computer 704. User 714 isanother trainer in this example.

When user 714 presents credentials, a number of permissions of user 714are also provided to user 710. These credentials are to variousresources. The resources for the number of permissions for user 714 anduser 712 may be to the same resources or different resources, dependingupon the particular implementation. If user 714 is no longer within adesired level of presence, the number of permissions of user 714 alsomay be removed. In some illustrative examples, the permissions of user712 and user 714 may remain even if one of user 712 and user 714 nolonger has a desired level of presence.

The illustration of resource management environment 600 in FIG. 6 andresource management environment 700 in FIG. 7 are only examples ofimplementations of resource management environment 300 in FIG. 3. Theseexamples are not meant to imply physical or architectural limitations tothe manner in which other resource environments may be implemented.Other resource management environments may include other numbers ofnetworks in computers other than those illustrated in these depictedexamples. For example, in some illustrative examples, computers may bein communication with each other using a peer-to-peer network, a directwireless communications link, or some other suitable type ofcommunication. Additionally, in some illustrative examples, a singletrainer may be present to train multiple users.

With reference now to FIG. 8, a flowchart of a process for managingresources in a network is depicted in accordance with an illustrativeembodiment. The process in FIG. 8 may be implemented in resourcemanagement environment 300 in FIG. 3. In particular, these differentsteps may be steps performed by access control process 324. Thedifferent steps illustrated in this flowchart may be implemented inprogram code for running on one or more computers in computer system302.

The process begins by receiving first credentials of a first user to acomputer system (step 800). In this step, the first user presents thecredentials. These credentials are used to determine whether to providethe user access to resources and what type of permissions are providedto the resources.

The process then validates the first credentials of the first user (step802). The validation determines the identity of the first user andidentifies the permissions that the first user has for access todifferent resources. In these illustrative examples, the first user is atrainer or supervisor.

Responsive to the first credentials for the first user being validated,a second user is provided a number of access permissions of the firstuser to a number of resources in the computer system (step 804). Inthese examples, the second user is a trainee.

Thereafter, the process monitors for a level of presence of the firstuser relative to the computer system (step 806). In these illustrativeexamples, the level of presence may take a number of different forms,such as described above. For example, the level of presence may be aphysical presence of the first user at a computer, a number of actionsperformed by the first user, the type of actions performed by the firstuser, and other suitable factors that may be used to determine the levelof presence of the first user.

A determination is made as to whether a preselected level of presence ofthe first user is present from the monitoring (step 808). If thepreselected level of presence is present, the process returns to step806. Otherwise, if the preselected level of presence is not present, theprocess ceases to provide the second user the number of accesspermissions of the first user to the number of resources in the computersystem (step 810).

Next, a determination is made as to whether monitoring for thepreselected level of presence should terminate (step 812). If themonitoring should terminate, the process terminates. The monitoring mayterminate when the training session is completed, the first user haslogged off, or some other suitable action. If monitoring of thepreselected level of presence of the first user should not terminate,the process monitors for a preselected level of presence of the firstuser (step 814).

A determination is then made as to whether the preselected level ofpresence of the first user is now present (step 816). If the preselectedlevel of the first user is present, the process then provides the seconduser with the number of access permissions of the first user (step 818),with the process returning to step 806 thereafter. In this manner, thenumber of permissions of the first user may be returned to the seconduser if the level of presence of the first user returns to thepreselected level. Otherwise, the process returns to step 812 asdescribed above.

With reference now to FIG. 9, an illustration of a process for ceasingto provide a user permissions to access resources is depicted inaccordance with an illustrative embodiment. The process illustrated inFIG. 9 may be implemented in resource management environment 300 in FIG.3. In particular, the steps in this process may be implemented asprogram code that may be run by one or more computers for access controlprocess 324 in FIG. 3.

The process begins by monitoring for events (step 900). These events maytake a number of different forms. For example, the events may be actionsby a user, a process, a change to a resource, or some other suitableevent. A determination is made as to whether the number of permissionsof the first user should cease to be provided to the second user inresponse to an event (step 902). This determination may be made using apolicy, such as policy 500 in FIG. 5, in these examples.

If the number of permissions of the first user is no longer to beprovided to the second user, the process ceases to provide the seconduser the number of permissions of the first user (step 904), with theprocess terminating thereafter. The second user is no longer providedthe number of permissions of the first user even though a preselectedlevel of presence of the first user is present in this example.

With reference again to step 902, if an absence of a determination ispresent to cease providing the second user the number of permissions ofthe first user occurs, the process returns to step 900 to continue tomonitor for events.

With reference now to FIG. 10, a flowchart of a process for managingaccess to resources is depicted in accordance with an illustrativeembodiment. The process illustrated in FIG. 10 may be implemented inresource management environment 300 in FIG. 3. In particular, thesedifferent steps may be implemented as part of access control process 324in FIG. 3.

The process begins with a trainer presenting credentials in a computersystem (step 1000). Thereafter, a number of trainees is provided aportion of a plurality of access permissions of the trainer (step 1002).The process then monitors for events (step 1004). In these examples, theevents may be the completion of steps in the training session, aselected type of access to the resource, user input from the trainee,user input from the trainer, or other types of events.

A determination is made as to whether the event is a selected event forincreasing access of the trainees (step 1006). Step 1006 may beperformed using a policy, such as policy 500 in FIG. 5. If the event isnot a selected event, the process returns to step 1004. Otherwise, theprocess adds additional access permissions from the plurality of accesspermissions of the trainer to the portion of the plurality of accesspermissions of the trainer provided to the trainees (step 1008). Theprocess then returns to step 1004. In this manner, access permissionsmay be provided to trainees on a tiered or step basis.

Thus, the different illustrative embodiments provide a method andapparatus for managing resources. In response to the presentation ofcredentials of a first user to a computer system, a second user isprovided a number of access permissions of the first user to a number ofresources in the computer system. A level of presence of the first userrelative to the computer system or to the second user is monitored. Thesecond user continues to be provided the number of access permissions ofthe first user to the number of resources in the computer system as longas a preselected level of presence of the first user is present.

In this manner, access permissions of a first user may be provided to asecond user based on a level of presence of the first user. As a result,a trainer does not need to log in at a computer with a trainee with thetrainer's credentials. Instead, the trainee may log in and be providedaccess to additional permissions of the trainer on a temporary basis. Inthe illustrative embodiments, these additional permissions are providedas long as the trainer has a desired level of presence. In this manner,the trainer does not have to remember revoking access when the trainerends the trainee session or recognizes that the trainer is not able tomonitor the training session as desired. Further, the differentillustrative embodiments provide a desired process from an auditingperspective, because users do not share identification cards orcredentials.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example,steps in two blocks shown in succession may, in fact, be performedsubstantially concurrently, or the blocks may sometimes be performed inthe reverse order, depending upon the functionality involved. It willalso be noted that each block of the block diagrams and/or flowchartillustration, and combinations of blocks in the block diagrams and/orflowchart illustration, can be implemented by special purposehardware-based systems that perform the specified functions or acts, orcombinations of special purpose hardware and computer instructions.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the invention. Asused herein, the singular forms “a”, “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”and/or “comprising,” when used in this specification, specify thepresence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof.

The corresponding structures, materials, acts, and equivalents of allmeans or step plus function elements in the claims below are intended toinclude any structure, material, or act for performing the function incombination with other claimed elements as specifically claimed. Thedescription of the present invention has been presented for purposes ofillustration and description, but is not intended to be exhaustive orlimited to the invention in the form disclosed. Many modifications andvariations will be apparent to those of ordinary skill in the artwithout departing from the scope and spirit of the invention. Theembodiment was chosen and described in order to best explain theprinciples of the invention and the practical application, and to enableothers of ordinary skill in the art to understand the invention forvarious embodiments with various modifications as are suited to theparticular use contemplated.

The invention can take the form of an entirely hardware embodiment, anentirely software embodiment or an embodiment containing both hardwareand software elements. In a preferred embodiment, the invention isimplemented in software, which includes but is not limited to firmware,resident software, microcode, etc.

Furthermore, the invention can take the form of a computer programproduct accessible from a computer-usable or computer-readable mediumproviding program code for use by or in connection with a computer orany data processing system. For the purposes of this description, acomputer-usable or computer readable medium can be any tangibleapparatus that can contain, store, communicate, propagate, or transportthe program for use by or in connection with the instruction dataprocessing system, apparatus, or device.

The medium can be an electronic, magnetic, optical, electromagnetic,infrared, or semiconductor system (or apparatus or device) or apropagation medium. Examples of a computer-readable medium include asemiconductor or solid state memory, magnetic tape, a removable computerdiskette, a random access memory (RAM), a read-only memory (ROM), arigid magnetic disk and an optical disk. Current examples of opticaldisks include compact disk-read only memory (CD-ROM), compactdisk-read/write (CD-R/W) and DVD.

A data processing system suitable for storing and/or executing programcode will include at least one processor coupled directly or indirectlyto memory elements through a system bus. The memory elements can includelocal memory employed during actual running of the program code, bulkstorage, and cache memories which provide temporary storage of at leastsome program code in order to reduce the number of times code must beretrieved from bulk storage during running of the program code by aprocessor unit.

Input/output or I/O devices (including but not limited to keyboards,displays, pointing devices, etc.) can be coupled to the system eitherdirectly or through intervening I/O controllers.

Network adapters may also be coupled to the system to enable the dataprocessing system to become coupled to other data processing systems orremote printers or storage devices through intervening networks. Modems,cable modem and Ethernet cards are just a few of the currently availabletypes of network adapters.

The description of the present invention has been presented for purposesof illustration and description, and is not intended to be exhaustive orlimited to the invention in the form disclosed. Many modifications andvariations will be apparent to those of ordinary skill in the art. Theembodiment was chosen and described in order to best explain theprinciples of the invention, the practical application, and to enableothers of ordinary skill in the art to understand the invention forvarious embodiments with various modifications as are suited to theparticular use contemplated.

1. A method for managing access to resources, the method comprising:responsive to a presentation of first credentials for a first user to acomputer system, providing, by the computer system, a second user anumber of access permissions of the first user to a number of resourcesin the computer system; monitoring, by the computer system, a level ofpresence of the first user relative to the computer system; andcontinuing to provide, by the computer system, the second user thenumber of access permissions of the first user to the number ofresources in the computer system as long as a preselected level ofpresence of the first user is present.
 2. The method of claim 1 furthercomprising: ceasing to provide the second user the number of accesspermissions of the first user to the number of resources in the computersystem in response to an event using a policy even though thepreselected level of presence of the first user is present.
 3. Themethod of claim 1, wherein the level of presence is a collaborationproximity.
 4. The method of claim 1, wherein the monitoring stepcomprises: monitoring the level of presence of the first user relativeto the computer system using a biometric sensor system.
 5. The method ofclaim 1, wherein the number of access permissions of the first user is aportion of a plurality of access permissions of the first user andfurther comprising: responsive to an event, adding additional accesspermissions from the plurality of access permissions of the first userto the number of access permissions of the first user provided to thesecond user.
 6. The method of claim 5, wherein the event is a completionof a portion of a training session.
 7. The method of claim 1, whereinthe number of access permissions is a first number of access permissionsand the number of resources is a first number of resources, and furthercomprising: responsive to a presentation of second credentials for athird user to the computer system, providing the second user a secondnumber of access permissions of the third user to a second number ofresources in the computer system in addition to the first number ofaccess permissions; monitoring a level of presence of the third userrelative to the computer system; and continuing to provide the seconduser the second number of access permissions of the third user to thesecond number of resources in the computer system as long as apreselected level of presence of the third user is present.
 8. Themethod of claim 1, wherein the number of resources is an application. 9.A data processing system comprising: a bus; a communications unitconnected to the bus; a storage device connected to the bus, wherein thestorage device includes program code; and a processor unit connected tothe bus, wherein the processor unit runs the program code to provide asecond user a number of access permissions of a first user to a numberof resources in a computer system in response to a presentation of firstcredentials for the first user to the computer system; monitor a levelof presence of the first user relative to the computer system; andcontinue to provide the second user the number of access permissions ofthe first user to the number of resources in the computer system as longas a preselected level of presence of the first user is present.
 10. Thedata processing system of claim 10, wherein the processor unit furtherruns the program code to cease to provide the second user the number ofaccess permissions of the first user to the number of resources in thecomputer system in response to an event using a policy even though thepreselected level of presence of the first user is present.
 11. Acomputer program product for managing access to resources, the computerprogram product comprising: a computer recordable storage medium;program code, stored on the computer recordable storage medium, forproviding a second user a number of access permissions of the a user toa number of resources in the computer system in response to apresentation of first credentials for the first user to a computersystem; program code, stored on the computer recordable storage medium,program code, stored on the computer recordable storage medium, formonitoring a level of presence of the first user relative to thecomputer system; and program code, stored on the computer recordablestorage medium, for continuing to provide the second user the number ofaccess permissions of the first user to the number of resources in thecomputer system as long as a preselected level of presence of the firstuser is present.
 12. The computer program product of claim 11 furthercomprising: program code, stored on the computer recordable storagemedium, for ceasing to provide the second user the number of accesspermissions of the first user to the number of resources in the computersystem in response to an event using a policy even though thepreselected level of presence of the first user is present.
 13. Thecomputer program product of claim 11, wherein the level of presence is acollaboration proximity.
 14. The computer program product of claim 11,wherein the monitoring step comprises: program code, stored on thecomputer recordable storage medium, for monitoring the level of presenceof the first user relative to the computer system using a biometricsensor system.
 15. The computer program product of claim 11, wherein thenumber of access permissions of the first user is a portion of aplurality of access permissions of the first user and furthercomprising: program code, stored on the computer recordable storagemedium, for adding additional access permissions from the plurality ofaccess permissions of the first user to the number of access permissionsof the first user provided to the second user in response to an event.16. The computer program product of claim 15, wherein the event is acompletion of a portion of a training session.
 17. The computer programproduct of claim 11, wherein the number of access permissions is a firstnumber of access permissions and the number of resources is a firstnumber of resources, and further comprising: program code, stored on thecomputer recordable storage medium, for providing the second user asecond number of access permissions of a third user to a second numberof resources in the computer system in addition to the first number ofaccess permissions in response to a presentation of second credentialsfor the third user to the computer system; program code, stored on thecomputer recordable storage medium, for monitoring a level of presenceof the third user relative to the computer system; and program code,stored on the computer recordable storage medium, for continuing toprovide the second user the second number of access permissions of thethird user to the second number of resources in the computer system aslong as a preselected level of presence of the third user is present.18. The computer program product of claim 11, wherein the number ofresources is an application.
 19. The computer program product of claim11, wherein the program code is stored on the computer recordablestorage medium in a data processing system, and wherein the program codeis downloaded over a network from a remote data processing system to thedata processing system.
 20. The computer program product of claim 11,wherein the program code is stored on the computer recordable storagemedium in a server data processing system, and wherein the program codeis downloaded over a network to a remote data processing system for usein a second computer readable storage medium with the remote dataprocessing system.